有人可以请我解释为什么这个代码将新书插入我的数据库会出现此错误:
错误:无法执行INSERT INTO书籍(电子邮件,姓名,价格)VALUES(jacob.stern@mail.yu.edu,Jack turell的生活指南,100美元)。您的SQL语法有错误;查看与您的MariaDB服务器版本相对应的手册,以便在第2行“@ mail.yu.edu,Jack turell的生活指南,100美元”附近使用正确的语法
session_start();
$book = $_POST["book"];
//$condition = $_PST["condition"];
$price = $_POST["price"];
$email = $_SESSION["email"];
$book = $link->real_escape_string($book);
$price = $link->real_escape_string($price);
$email = $link->real_escape_string($email);
// Create connection
$link = mysqli_connect($servername, $username, $password, $dbname);
// Check connection
if($link === false){
die("ERROR: Could not connect. " . mysqli_connect_error());
}
if( $email===null ){
header("Location: http://yutradecircle.com/index.html");
}
else{
$sql = "INSERT INTO books (Email, Name, Price)
VALUES ('{$email}', '{$book}', '{$price}')";
if (mysqli_query($link, $sql)) {
echo "New record created successfully</br><a href='tradecircle.php'>Home</a>";
} else {
echo "ERROR: Could not able to execute $sql. " . mysqli_error($link);
}
}
mysqli_close($link);
答案 0 :(得分:1)
您需要在VALUES中添加引号,并根据您首先要转义这些变量所需的错误,因为Name中有引号。
$book = $link->real_escape_string($book);
$email = $link->real_escape_string($email);
$price = $link->real_escape_string($price);
然后:
$sql = "INSERT INTO books (Email, Name, Price) VALUES ('$email', '$book', '$price')";
一般来说,构建这样的字符串是一个安全问题。查看PDO并使用它构建插件或阻止SQL注入的类似库。
答案 1 :(得分:0)
您需要将字符串值的引号用作:
$sql = "INSERT INTO books (Email, Name, Price) VALUES ('$email', '$book', '$price')";